Bug 1403615: Also follow the NODE_DESCENDANTS_NEED_FRAMES bit in ClearRestyleStateFromSubtree. r=bholley
☠☠ backed out by dbf1351a429a ☠ ☠
authorEmilio Cobos Álvarez <emilio@crisal.io>
Wed, 27 Sep 2017 19:19:12 +0200
changeset 383321 379e7e7bf80dec2bf8f7df41a7021e4839d9b0ad
parent 383320 d4ccab1528bf4fe48bcbde2ea7b57cb9313e794a
child 383322 2bbc62515048f80a21bccacb7e91eaaf094a96e4
push id95539
push userkwierso@gmail.com
push dateThu, 28 Sep 2017 00:01:12 +0000
treeherdermozilla-inbound@72de90e66155 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbholley
bugs1403615
milestone58.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1403615: Also follow the NODE_DESCENDANTS_NEED_FRAMES bit in ClearRestyleStateFromSubtree. r=bholley We don't follow this bit intentionally because we know that even if it's set, when none of the other two bits are set there are no other restyle / change hints down the tree. We rely on the frame constructor to clean the mess up, though, and it doesn't really do a good work about it. In particular, the case we're hitting on the test-case is: <body descendant-need-frames change=reconstruct style="display: table-column-group"> <div descendant-need-frames> <div descendant-need-frames> <span needs-frame></span> </div> </div> </body> When we see we need to reconstruct the body, we call ClearRestyleStateFromSubtree, but that doesn't do much now, since we don't follow the descendant-need-frames bits. Then, when we reconstruct the content, we arrive at[1] when constructing the first child <div>. The <div> flags have been cleared, but not the children's! Then a text-node is inserted in a <div>, breaking all sorts of invariants. This is the easiest fix. Other fixes include clearing the flags on SetAsUndisplayedContent. But that implies not clearing them in ShouldCreateItemsForChild, and doing that somewhere more sensible. I suspect it's not too hard, but that's a slightly more risky change, will do it if you prefer it. [1]: http://searchfox.org/mozilla-central/rev/3dbb47302e114219c53e99ebaf50c5cb727358ab/layout/base/nsCSSFrameConstructor.cpp#6092 MozReview-Commit-ID: 7026wkQLQkz
layout/base/ServoRestyleManager.cpp
layout/style/crashtests/1403615.html
layout/style/crashtests/crashtests.list
--- a/layout/base/ServoRestyleManager.cpp
+++ b/layout/base/ServoRestyleManager.cpp
@@ -410,18 +410,17 @@ ServoRestyleManager::ClearServoDataFromS
   }
 
   aElement->ClearServoData();
 }
 
 /* static */ void
 ServoRestyleManager::ClearRestyleStateFromSubtree(Element* aElement)
 {
-  if (aElement->HasDirtyDescendantsForServo() ||
-      aElement->HasAnimationOnlyDirtyDescendantsForServo()) {
+  if (aElement->HasAnyOfFlags(Element::kAllServoDescendantBits)) {
     StyleChildrenIterator it(aElement);
     for (nsIContent* n = it.GetNextChild(); n; n = it.GetNextChild()) {
       if (n->IsElement()) {
         ClearRestyleStateFromSubtree(n->AsElement());
       }
     }
   }
 
new file mode 100644
--- /dev/null
+++ b/layout/style/crashtests/1403615.html
@@ -0,0 +1,24 @@
+<html class="reftest-wait">
+<script>
+window.onload = () => {
+  a = document.createElement("body")
+  b = document.createElement("span")
+  a.appendChild(b)
+  c = document.createElement("div")
+  d = document.createElement("div")
+  c.appendChild(d)
+  a.appendChild(c)
+  document.documentElement.appendChild(a)
+  requestIdleCallback(() => {
+    a.style.display = "table-column-group"
+    d.appendChild(document.createTextNode("\u05D2"))
+    requestIdleCallback(() => {
+      d.appendChild(document.createElement("span"))
+      b.style.zIndex = "1073741824"
+      document.documentElement.offsetTop;
+      document.documentElement.removeClass("reftest-wait");
+    })
+  })
+}
+</script>
+</html>
--- a/layout/style/crashtests/crashtests.list
+++ b/layout/style/crashtests/crashtests.list
@@ -227,8 +227,9 @@ load 1401801.html
 load 1401256.html
 load 1402419.html
 load 1401706.html
 load 1400936-1.html
 load 1400936-2.html
 load 1402472.html
 load 1402366.html
 load 1403028.html
+load 1403615.html